feat: add incrementing and decrementing mutator

[plotchy]

Ityfuzz uses these standard mutations from libafl

let mutations = tuple_list!(
    BitFlipMutator::new(),
    ByteInterestingMutator::new(),
    WordInterestingMutator::new(),
    DwordInterestingMutator::new(),
    ConstantHintedMutator::new(),
);

But using a more evm-specific mutator for incrementing or decrementing inputs directly allows faster finding of control flow.

Take this contract

pragma solidity ^0.8.13;
contract debug {
    function foo(uint256 x) public {
        if (x > 2097151 && x < (uint(4194306) / uint(2)) ) {
            // 2097151     is b   111111111111111111111
            // 4194306     is b 10000000000000000000010 
            // 4194306/2   is b  1000000000000000000001
            // solution    is b  1000000000000000000000

            // its really hard to find the answer by
            // bitflipping the push values of 2097151 and 4194306 (since you need at least two precise bitflips)
            // but its really easy if you just increment the 2097151 push value

            assert(false);
        }
    }
}

The values of 2097151 and 4194306 and 2 are push values that will be used by ConstantHintedMutator. However, copying inputs to these values directly will fail to get past < and > flows. Since < and > are such common operations on push'd values, I think adding mutators to help pass that is helpful.

The BitFlipMutator after the ConstantHint is the best chance it has to get past the < and >, but it isn't as good as just trying to add or subtract one since the bitflips can be anywhere in the bit space, not just at the end.

IncDecMutator just takes the input and does a wrapping addition or subtraction

Results

I ran on this example with debug target mode. Without the pr it takes ~12s and 40k executions. With the pr it's basically instant

WITHOUT

ERROR [Stats #0] run time: 0h-0m-12s, clients: 1, corpus: 3, objectives: 0, executions: 43264, exec/sec: 3.508k
ERROR ============= New Corpus Item =============
ERROR Reverted? true 
 Txn:
[Sender] 0xe1A425f1AC34A8a441566f93c82dD730639c8510
   ├─[1] 0xB2F0DF70137530d491303f09AeD849765e4e9f8C.foo(2097152)
   │  └─ ← 0x4e487b710000000000000000000000000000000000000000000000000000000000000001

WITH

ERROR test/debug2.sol:debug(0xb2f0df70137530d491303f09aed849765e4e9f8c): 60.53% Instruction Covered, 58.33% Branch Covered
ERROR [Stats #0] run time: 0h-0m-0s, clients: 1, corpus: 3, objectives: 0, executions: 5, exec/sec: 0.000
ERROR ============= New Corpus Item =============
ERROR Reverted? true 
 Txn:
[Sender] 0xe1A425f1AC34A8a441566f93c82dD730639c8510
   ├─[1] 0xB2F0DF70137530d491303f09AeD849765e4e9f8C.foo(2097152)
   │  └─ ← 0x4e487b710000000000000000000000000000000000000000000000000000000000000001

[fuzzland-bot]

Found: 19

Project Name	Vulnerability Found	Time Taken	Log
BIGFI_exp.txt	✅ Price Manipulation	0h-1m-26s	Log File
Shadowfi_exp.txt	✅ Price Manipulation	0h-3m-5s	Log File
SEAMAN_exp.txt	✅ Fund Loss	0h-2m-11s	Log File
BEGO_exp.txt	✅ Fund Loss	0h-0m-22s	Log File
cftoken_exp.txt	✅ Price Manipulation	0h-0m-25s	Log File
Carrot_exp.txt	❌	-1	Log File
MBC_ZZSH_exp.txt	✅ Fund Loss	0h-2m-45s	Log File
AUR_exp.txt	❌	-1	Log File
SellToken_exp.txt	✅ Fund Loss	0h-0m-30s	Log File
ROI_exp.txt	✅ Fund Loss	0h-0m-33s	Log File
GPT_exp.txt	❌	-1	Log File
OLIFE_exp.txt	❌	-1	Log File
THB_exp.txt	❌	-1	Log File
VerilogCTF.txt	❌‼️ Crashed	-1	Log File
CS_exp.txt	✅ Price Manipulation	0h-0m-21s	Log File
MintoFinance_exp.txt	✅ Fund Loss	0h-0m-56s	Log File
Novo_exp.txt	✅ Price Manipulation	0h-2m-30s	Log File
SELLC03_exp.txt	✅ Fund Loss	0h-1m-27s	Log File
Yyds_exp.txt	✅ Fund Loss	0h-1m-15s	Log File
DYNA_exp.txt	❌	-1	Log File
EAC_exp.txt	❌	-1	Log File
Annex_exp.txt	❌	-1	Log File
PLTD_exp.txt	✅ Price Manipulation	0h-0m-45s	Log File
ApeDAO_exp.txt	✅ Price Manipulation	0h-0m-46s	Log File
GSS_exp.txt	✅ Fund Loss	0h-1m-4s	Log File
Axioma_exp.txt	✅ Fund Loss	0h-0m-52s	Log File
RFB_exp.txt	✅ Fund Loss	0h-2m-18s	Log File
HEALTH_exp.txt	✅ Price Manipulation	0h-0m-16s	Log File